SyncSOAP
Log In

Security & Compliance

Last updated: April 30, 2026

SyncSOAP is designed for privacy-conscious clinical documentation workflows. This page summarizes the technical and operational safeguards built into the product at a high level. It is provided for general informational purposes and does not replace customer-specific legal, compliance, or security review. The product is built to support HIPAA-aligned use, but compliance depends on the deployment, the BAA, and the customer's operational safeguards. Live PHI workflows remain gated until the required agreements, approvals, and environment controls are in place.

1. Workflow model

  • SyncSOAP generates draft clinical documentation from encounter audio, transcript text, and optional clinical images.
  • The clinician remains responsible for reviewing, editing, and approving the final note before it is used in the official chart.
  • The current product is optimized for a copy/paste workflow into the customer's existing EHR system and is not intended to be the long-term system of record.

2. Data protection controls

  • Data in transit is protected with TLS / HTTPS.
  • Application access is authenticated and restricted to authorized users.
  • The main clinician workflow is designed to stay usable from ordinary hospital, clinic, and home networks rather than depending on per-user IP allowlists.
  • Object storage access uses signed or otherwise authenticated access patterns rather than public file exposure.
  • Production secrets are intended to live in AWS Secrets Manager and be accessed through IAM-backed service identity rather than shared plaintext configuration.
  • Passkeys and biometric-backed sign-in are available today, with optional authenticator-based MFA still available for users who want an additional fallback factor.
  • Workforce devices that can access PHI should use full-disk encryption and local screen locks.
  • Audit logging is used for important workflow and access events.
  • Environment flags are used to gate sensitive workflows and approved AI-processing paths.

3. Cloud services and subprocessors

SyncSOAP may rely on multiple cloud and software providers for hosting, authentication, database operations, object storage, email delivery, transcription, language-model drafting, and image analysis. Depending on the configured environment, different approved providers may handle different parts of the workflow.

Customers should confirm that each production subprocessor used in their deployment is acceptable for the intended workload and, where required, covered by the appropriate contractual terms or business associate arrangements. Running SyncSOAP on AWS or any other cloud platform does not by itself make a customer deployment compliant.

Depending on the customer relationship, the applicable Business Associate Agreement may be accepted electronically during onboarding or executed separately through a written agreement, order form, or addendum.

4. Retention and export workflow

SyncSOAP is designed around short-term operational storage rather than long-term chart custody. Users should review and export or copy the final note into the official EHR record within the configured retention window.

5. Shared responsibility

  • SyncSOAP is responsible for the application controls implemented in the deployed product.
  • Customers are responsible for user provisioning, device practices, local operational procedures, downstream EHR handling, internal policy compliance, and verifying that the final production configuration matches their legal and compliance requirements.
  • Customers should perform their own legal and compliance review before using the Service with regulated data in production.

6. Questions

If you need deployment-specific security or compliance details, please contact the application administrator before production use.